b'ASSESSMENT\n             FEDERAL DIGITAL SYSTEM (FDSYS)\nREPORT       INDEPENDENT VERIFICATION AND\n09-01          VALIDATION (IV&V) \xe2\x80\x93 FOURTH\n                QUARTER REPORT ON RISK\n                MANAGEMENT, ISSUES, AND\n                     TRACEABILITY\n                      November 4, 2008\n\n\n\n\n        OFFICE OF INSPECTOR GENERAL\n\x0c\x0c                                                                 Memorandum\n                                                                  OFFICE OF THE INSPECTOR GENERAL\n                            WASHINGTON, DC 20401\n\n\n\n\n    DATE:      November 4, 2008\n\nREPLY TO\n ATTN OF: Assistant Inspector General for Audits and Inspections\n\n SUBJECT:      Federal Digital System (FDsys) Independent Verification and\n               Validation (IV&V) \xe2\x80\x93 Fourth Quarter Report on Risk Management, Issues, and\n               Traceability\n               Report Number 09-01\n\n      TO:      Chief Information Officer\n\n\n      The GPO Office of Inspector General (OIG) is conducting independent verification and\n      validation (IV&V) of GPO\xe2\x80\x99s Federal Digital System (FDsys)1 implementation. The OIG\n      contracted with American Systems2 to conduct IV&V for the public release of FDsys\n      Release 1.C.3 As part of its contract with the OIG, American Systems is assessing the\n      state of program management, technical and testing plans and other efforts related to the\n      rollout of Release 1.C. American Systems is required by the contract to issue to the OIG\n      a quarterly Risk Management, Issues, and Traceability Report, providing observations\n      and recommendations on the program\xe2\x80\x99s technical, schedule, and cost risks as well as\n      requirements traceability of those risks and the effectiveness of the program management\n      processes in controlling risk avoidance. Additionally, at the end of each FDsys release\n      phase, American Systems is required to issue a release phase summary program\n      management report that addresses delivery of the technical baseline per the FDsys Master\n      Program Schedule and the risks that affect the schedule\xe2\x80\x99s critical path to the next phase.\n\n      The enclosed report is American Systems\xe2\x80\x99 quarterly report for the period April 2008 to\n      June 2008. Section 7 of the report contains five recommendations designed to improve\n      current and future FDsys project efforts. Management concurred with each of the five\n      recommendations. We consider the actions proposed by management responsive to each\n\n      1\n        The FDsys program is a multimillion dollar effort that GPO is funding and managing to modernize the\n      GPO information collection, processing, and dissemination capabilities it performs for the three branches of\n      the Federal Government.\n      2\n        American Systems, located in Chantilly, Virginia, is a large information technology company with\n      significant experience in the realm of IV&V for Federal civilian and Defense agencies, including the\n      Department of State, the Navy, and the U.S. Agency for International Development.\n      3\n        American Systems IV&V methodology is referenced to the framework established by the Institute of\n      Electrical and Electronic Engineers (IEEE) Standard 1012-2004, the IEEE Standard for Software\n      Verification and Validation.\n\x0c                                                                                     2\n\nof the recommendations. Management\xe2\x80\x99s response is included in its entirety in Appendix\nA of the report. The recommendations are resolved and will remain open until\nmanagement has completed the proposed actions and IV&V has completed follow-up\nwork. The status of each recommendation upon issuance of this report is included in\nAppendix B. The final report distribution is in Appendix C.\n\nIn their response to this report (see Appendix A), management requested that a draft of\neach quarterly report be provided no later than one week after the end of the reporting\nperiod. However, the OIG\xe2\x80\x99s contract with American Systems requires that each quarterly\nreport be delivered to the OIG no later than two weeks after the end of each quarter.\nOnce received, the report goes through an OIG review process before issuance to\nmanagement for comments. Therefore, it is not possible to meet management\xe2\x80\x99s specific\nrequest. We will, however, as we have done previously, continue to brief management\nduring each review period on findings and recommendations identified as IV&V tasks are\ncompleted.\n\nIf you have questions concerning this report or the IV&V process, please contact\nMr. Brent Melson, Deputy Assistant Inspector General for Audits and Inspections at\n(202) 512-2037, or me at (202) 512-2009.\n\n\n\n\nKevin J. Carson\nAssistant Inspector General for Audits and Inspections\n\nAttachment\n\ncc:\nChief of Staff\nChief Management Officer\nChief Technology Officer\n\x0c                                                                       ATTACHMENT\n\n\n    IV&V RISK MANAGEMENT, ISSUES, AND TRACEABILITY\n                      REPORT\nTO:             Brent Melson, COTR\nFROM:           IV&V, Jon Valett\nIV&V OF:        Quarterly Report (Final \xe2\x80\x93 Document Number 01-036)\nSUBJECT:        April \xe2\x80\x93 June 2008 Quarterly Report\nDATE:           July 31, 2008\nCC:             Dan Rose, David Harold, John Best, Chris Parr, Shawn O\xe2\x80\x99Rourke\n\n\nThis report presents the critical technical, schedule, and cost risks identified for the\nGovernment Printing Office (GPO) Federal Digital System (FDsys) Program.\nSpecifically, it provides a high-level overview of the key risks and issues that IV&V has\nidentified within the last quarter. This report also addresses IV&V task reports covering\nSecurity Requirements and the Risk Management Plan and Program that were performed\nover this same time period. Also during this quarter, IV&V reviewed a Quick Look\nAssessment of the GPO FDsys Development Approach provided by Flatirons Solutions, a\nSystems Engineering and Technical Assistance (SETA) contractor hired by GPO. The\nresults of that review are contained in this report.\n\nThis is the fourth IV&V quarterly report and covers the period from April 2008 to June\n2008. It includes information taken from the following:\n\n\xef\x82\xb7   IV&V Task Report, Evaluate FDsys System Security Plan, April 22, 2008;\n\xef\x82\xb7   IV&V Task Report, Design Phase Risk Analysis, July 2, 2008; and\n\xef\x82\xb7   IV&V Quick Look Report \xe2\x80\x93 Draft, Evaluate Initial FDsys Release 1C.2 Program\n    Review Meetings, July 7, 20084.\n\nOver the last quarter several areas of the program appear to be making significant\nprogress:\n\n    \xef\x82\xb7   The risk program has been restarted (reference Section 5).\n    \xef\x82\xb7   Configuration management activities are moving in the right direction. IV&V will\n        review the configuration management plan and adherence to process during the\n        next quarter.\n    \xef\x82\xb7   Test planning is underway. IV&V will review test plans during the next quarter.\n    \xef\x82\xb7   The PMO designated a team to begin the planning of the training efforts needed to\n        support the deployment of FDsys R1C2. A high level training schedule and list of\n        planned deliverables has been presented. An initial Training Plan has been\n4\n  The referenced report was never issued as a final because all of the findings of the draft\nreport are included in this quarterly. The draft report included references to a Program\nReview meeting that was held on July 1, 2008. The analysis of that meeting is included in\nthis report.\n\x0c       developed. This early attention to system training and organizational change will\n       be critical to stakeholder acceptance of FDsys when it is deployed. At this point,\n       however, the existing R1C2 documentation/design details are insufficient to\n       develop detailed training materials (e.g., manuals that contain step-by-step\n       procedures to perform tasks).\n   \xef\x82\xb7   The conduct of formal review meetings on a regular basis (e.g., monthly) is very\n       beneficial to the FDsys Program. These meetings provide a forum for the FDsys\n       team to coordinate activities, evaluate progress, and discuss problem areas. Each\n       meeting includes an agenda that encompasses the current tasks being performed.\n       Representatives from the Program Management Office (PMO), Harris, and the\n       other PMO Contractors present information related to their efforts.\n       Questions/concerns (if any) from the team members are addressed.\n\n\n1. Technical Risks Identified\n\nDuring the last quarter several technical risks were identified:\n\n   \xef\x82\xb7   An Integrated Master Schedule (IMS) and an approved Project Management Plan\n       (PMP) still does not exist. The lack of a detailed IMS continues to hamper the\n       Program. A critical path cannot be defined; overall progress cannot be\n       determined; cost expenditures versus accomplishments cannot be measured; and,\n       the coordination of development activities is difficult. The ability to ensure\n       deployment at the specified date (December 2008) without an IMS is highly\n       unlikely.\n   \xef\x82\xb7   The PMO determined that a re-design of the Documentum Repository was\n       required because the previous design was deemed to be overly complex and did\n       not make the best use of Documentum capabilities. While this decision may be\n       the correct one for the overall technical solution, the decision delays the\n       completion of system design (i.e., the System Design Document (SDD)) and may\n       impact some software components being developed by Harris.\n   \xef\x82\xb7   The Bill of Materials (BOM) for the Test environment has been completed and\n       the equipment has been ordered. Because the design is not yet complete, there is\n       a technical risk that the equipment ordered for the Test environment will not be\n       sufficient to support testing.\n   \xef\x82\xb7   During the quarter, IV&V reviewed the technical requirements and design\n       artifacts being developed by the program. While the design is not complete,\n       IV&V identified some areas of concern that may become technical risks:\n            o The R1C2 requirements baseline is not finalized. The decomposition of\n               the system requirements into derived software requirements is complete\n               for 11 of the 35 software components. The quality of the derived\n               requirements in terms of testability and clarity remains questionable.\n               Simultaneous development of requirements and detailed design is a poor\n               system development practice that substantially increases the risk of\n               mistakes and rework. In addition, a traceability of all requirements to the\n               system design (including COTS) has not been performed. Without this\n\n\n                                              2\n\x0c               trace, it is very hard to determine if the detailed design satisfies all system\n               requirements.\n           o The design methodology being used to develop the detailed design is not\n               clear. The artifacts that have been generated to-date do not represent a\n               consistent flow from the architecture to a detailed design. There is\n               currently no established methodology that brings the various artifacts\n               (TDF\xe2\x80\x99s, workflows, use cases, CDDs, etc.) together to form a coherent\n               design.\n   \xef\x82\xb7   System Integration Test (SIT) planning is directly related to the \xe2\x80\x9cengineering\n       builds\xe2\x80\x9d that will be used to iteratively develop the system. The scope and content\n       of these builds have not yet been fully defined. The SIT will be a substantial effort\n       requiring many test cases and procedures. Delays in defining these builds may\n       impact SIT planning efforts, creating a risk that the SIT plan will not be\n       sufficiently detailed to adequately test the system.\n\n\n2. Schedule Risks Identified\n\nThere are a number of FDsys schedule risks that accompany the above technical risks.\nWithout an IMS, IV&V cannot truly evaluate the program schedule; however, a notional\nschedule was presented at the FDsys Program Review Meeting held May 21, 2008. The\ndeployment date of late 2008 was also presented at the Program Review Meeting held on\nJuly 1, 2008. The following schedule risks have been identified:\n\n   \xef\x82\xb7   As stated in Section 1, the lack of a detailed plan and IMS is a significant\n       schedule risk.\n   \xef\x82\xb7   The scheduled date for conduct of the FDsys R1C2 Detailed Design Review\n       (DDR) has been changed twice. Targeted initially for May 2008, DDR was\n       pushed out to June 30, 2008 during the May Program Review. DDR was again\n       moved to a yet unspecified date in August during the June Program Review.\n       Given that the DDR has slipped at least two (2) months since the original plan,\n       achieving the goal of a December 2008 deployment is highly unlikely.\n   \xef\x82\xb7   During the May 21, 2008 Program Review the presentation stated that a number\n       of plans were scheduled to be delivered during June (including the IMS, PMP,\n       Master Test Plan, User and Beta Test Plans, Configuration Management Plan, and\n       Training Plan). None of these plans or schedules were completed by June. While\n       missing the dates for any of these plans could not be viewed as significant, the\n       pattern of missing even notional schedule dates indicates either an insufficient\n       schedule development process or a potential lack of schedule discipline. Given the\n       already aggressive high-level schedule, any lack of schedule discipline must be\n       viewed as a schedule risk to the overall deployment schedule.\n   \xef\x82\xb7   Delays in SIT planning may cause schedule delays.\n   \xef\x82\xb7   The test equipment has not been delivered. The stated schedule for the beginning\n       of test (middle of August) is at risk due to delays in delivery of the test\n       equipment.\n\n\n\n                                             3\n\x0c    \xef\x82\xb7   The specifications for only 2 Parsers are complete/underway. Although they are\n        expected to be easier than those for the first two collections, the specifications for\n        the remaining 23 collections required for R1C2 has not begun. The ability to\n        develop all 25 Parsers in time to deploy R1C2 by the end of 2008 is questionable.\n        In fact, the Risk Management team has identified Parser development as one of\n        the top Program risks.\n    \xef\x82\xb7   A lack of clearly defined security controls and responsibilities creates a schedule\n        risk. This risk is discussed in Section 4 of this report.\n\n\n3. Cost Risks Identified\n\nThere are inherent cost risks associated with the technical and schedule risks. Program\ncost has been presented at the Program Review meetings with the indication that funds\nwill be expended by January 2009; however, there is no correlation between the cost to-\ndate and performance (e.g., amount of total software completed). Since there is no IMS\nand PMP and therefore no earned value data, expenditures cannot be evaluated with\nrespect to Program progress.\n\n    \xef\x82\xb7   By their nature, cost risks are directly correlated with schedule risks. Any\n        schedule increase generally results in additional costs.\n\n\n4. System Security Plan Evaluation\n\nDuring this quarter, IV&V performed an evaluation of the FDsys System Security Plan\n(SSP). The following risks were identified:\n\n    \xef\x82\xb7   The confidentiality, integrity and availability protection of FDsys is critical for\n        successful operational purposes, regulatory compliance and public confidence.\n        The purpose of the GPO FDsys SSP is to provide an overview of the security\n        requirements of the system and describe the controls in place or planned for\n        meeting those requirements. The GPO FDsys SSP does contain a very methodical\n        and detailed list of agency based security requirements that would meet most\n        government standards for security. However, it does not explain how those\n        security requirements are being implemented, by who (system level, or agency\n        level and therefore a common control) and how the agency based security controls\n        relate/map to the FIPS 2005 mandated minimum security controls.\n    \xef\x82\xb7   The GPO FDsys SSP should also delineate responsibilities and expected behavior\n        of all individuals who access the system. The GPO FDsys SSP fails to clearly and\n        concisely provide sufficient detail for the Certification Authority and the\n        Authorizing Official to base their initial acceptance and agreement of the security\n\n5\n FIPS 200 is the Federal Information Processing Standards (FIPS) Publication 200,\nMarch 2006, Minimum Security Requirements for Federal Information and Information\nSystems.\n\n\n                                              4\n\x0c       posture and residual risk associated with FDsys. Failure to clearly define the\n       complete system architecture and associated security controls puts the system\n       receiving a final Approval To Operate (ATO) in jeopardy and therefore delays the\n       operational deployment to the GPO stakeholders, and the public.\n\nThe detailed IV&V recommendations related to this task were delivered to the GPO\nChief Information Officer (CIO) in a report dated April 22, 2008 and were briefed to the\nCIO and the program manager on April 28, 2008. A summary recommendation from this\ntask is provided in Section 7 of this report.\n\n\n5. Assess Design Phase Risk Management Plan and Process\n\nDuring this quarter, IV&V also performed an assessment of the FDsys Risk Management\nPlan (RMP) and Risk Management Process. The findings of the report can be\nsummarized as follows:\n\n   \xef\x82\xb7   The PMO has reinstituted an active risk management program. This is a very\n       positive development for the overall management of the FDsys program. A good\n       risk management program enables a program office to identify and mitigate\n       program risks before they become problems.\n   \xef\x82\xb7   The RMP has been updated to reflect the reorganization of responsibilities\n       between Harris and the GPO. Risk Review Board (RRB) meetings are being held\n       every two weeks, as specified in the RMP. Risk Handling Plans are being\n       developed by Risk Owners, and are reviewed by the RRB. The Risk Database is\n       being updated and the status of risks are being reviewed and evaluated by the\n       RRB.\n   \xef\x82\xb7   A number of specific recommendations for improvement were made for both the\n       Risk Management Plan and Risk Management Process.\n\nThe IV&V recommendations related to this task were delivered to the GPO CIO in a\nreport dated July 2, 2008. Following that delivery, IV&V and the FDsys Program\nManager and Risk Manager met to review the recommendations. The specific\nrecommendations were discussed and many have been adopted by the PMO. The PMO\nintends to update their plans and processes to include those recommendations. This\ncollaborative approach provided more timely improvement to the PMO processes and\nwill be used in future IV&V reviews of specific program plans and processes.\n\nA single, more general, recommendation from the report is provided in Section 7 of this\nreport.\n\n\n\n\n                                           5\n\x0c6. Review SETA Contractor Quick Look Report\n\nAnother IV&V task completed during this quarter was an analysis of the Flatirons\nSolutions Quick Look Assessment of the GPO FDsys Development Approach. 6 Without\nrestating the Flatirons report, the findings can be summarized as follows:\n\n    \xef\x82\xb7   The Concept of Operations cannot be used as a foundation for development.7\n    \xef\x82\xb7   A complete set of system architecture views do not exist.\n    \xef\x82\xb7   Requirement definition and traceability is incomplete.\n    \xef\x82\xb7   Key design features are incomplete.\n    \xef\x82\xb7   Project management artifacts do not exist.\n    \xef\x82\xb7   The BOM may not meet the needs of the incomplete design and the equipment\n        may not be available in time for SIT.\n    \xef\x82\xb7   The FDsys PMO needs to align the program around a development methodology.\n\nIV&V agrees with all of these findings.\n\nThe report concludes \xe2\x80\x9c\xe2\x80\xa6that the current approach to deliver a system in CY2008 is not\nachievable using the current system artifacts and development methodology.\xe2\x80\x9d IV&V\nagrees with this conclusion.\n\nThe report recommends an Agile8 development methodology for FDsys. While IV&V\nagrees that adopting the iterative aspects of Agile would greatly improve the management\nand likelihood of success for FDsys, it should not be viewed as a \xe2\x80\x9csilver bullet\xe2\x80\x9d. Iterative\ndevelopment with well defined builds is one way for GPO to begin to gain technical and\nmanagement control of FDsys. Other aspects of the Agile methodology are typically most\nsuccessful with relatively mature development organizations. While GPO and their\ncontractors might benefit from the Agile methodology, they should not adopt it without\nsignificant training and coaching. Fully adopting Agile at this point in the development of\nR1C2 may cause further schedule delays.\n\nSome of the artifacts that result from an Agile methodology, such as user stories, already\nexist in a number of different forms (e.g., use cases, workflows, and TDFs). GPO should\ntry to develop a consistent set of artifacts that are traceable to one another and provide an\n\n6\n  Flatirons Solutions was hired in May of 2008 as a Systems Engineering and Technical\nAssistance Contractor (SETA). Their first task was to review the current technical and\nprogrammatic state of the FDsys program and provide evaluation and recommendations\nfor achieving a December 2008 operational system.\n7\n  The FDsys PMO has never intended the current ConOps to be a departure point for the\ndesign. IV&V\xe2\x80\x99s understanding has been that the ConOps provided a starting point for\nrequirements development and that certain system concepts have evolved since the\nConOps was developed. The scenarios provided by the ConOps have been replaced by\nother artifacts, such as use cases and workflows.\n8\n  Agile is a software development methodology that focuses on collaborative\ndevelopment, requirements adaptability and short development iterations.\n\n\n                                              6\n\x0cend-to-end solution for FDsys. Perhaps some aspects of the Agile methodology could be\nadapted to provide that consistent set of artifacts.\n\nThe IV&V recommendations related to this task are provided in Section 7 of this report.\n\n7. Recommendations\n\n   1) IV&V recommends that the recently started program reviews continue on a\n      monthly basis. They are both valuable and necessary for program success.\n\n   Management\xe2\x80\x99s Response. Concur. GPO concurs with the recommendation. The\n   complete text of management\xe2\x80\x99s response is in Appendix A.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s actions are responsive to\n   the recommendation. The recommendation is resolved, but will remain\n   undispositioned and open for reporting purposes until corrective actions are\n   completed.\n\n   2) IV&V recommends that the PMO clearly establish a design methodology that\n      shows how all design artifacts being developed consistently flow from the system\n      architecture down to the detailed design. The methodology chosen should be\n      clearly documented for all engineers and developers.\n\n   Management\xe2\x80\x99s Response. Concur. GPO concurs that the design methodology\n   going forward must be established and communicated to the technical team. As\n   indicated previously, the plan is to use lessons learned from the first release to\n   establish the appropriate methodology for future releases (see Appendix A).\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s actions are responsive to\n   the recommendation. The recommendation is resolved, but will remain\n   undispositioned and open for reporting purposes until corrective actions are\n   completed.\n\n   3) IV&V recommends that the PMO establish the R1C2 requirements baseline and\n      complete the trace of each requirement to the low level component (software\n      component, COTS, hardware) within the detailed design that is responsible for its\n      implementation.\n\n   Management\xe2\x80\x99s Response. Concur. GPO agrees and the team is working to\n   complete the traceability (see Appendix A).\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s actions are responsive to\n   the recommendation. The recommendation is resolved, but will remain\n   undispositioned and open for reporting purposes until corrective actions are\n   completed.\n\n\n\n\n                                            7\n\x0c4) IV&V recommends that GPO begin an update to the SSP. Prior to beginning that\n   update, the PMO should meet with IV&V to discuss detailed recommendations\n   contained in that task report. The PMO should then decide which\n   recommendations are appropriate for that update.\n\nManagement\xe2\x80\x99s Response. Concur. GPO agrees and the team is working to update\nthe SSP (see Appendix A).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s actions are responsive to\nthe recommendation. The recommendation is resolved, but will remain\nundispositioned and open for reporting purposes until corrective actions are\ncompleted.\n\n5) IV&V recommends that the Risk Manager regularly review all IV&V reports for\n   identification of additional risks to be tracked in the Risk Database.\n\nManagement\xe2\x80\x99s Response. Concur. GPO will commit to including the risk manager\nin the distribution for all IV&V materials (see Appendix A).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s actions are responsive to\nthe recommendation. The recommendation is resolved, but will remain\nundispositioned and open for reporting purposes until corrective actions are\ncompleted.\n\n\n\n\n                                     8\n\x0cAppendix A. Management\xe2\x80\x99s Response\n\n\n\n\n                9\n\x0cAppendix A\n\n\n\n\n             10\n\x0c     Appendix A\n\n\n\n\n11\n\x0cAppendix A\n\n\n\n\n             12\n\x0c                  Appendix B. Status of Recommendations\n\n\nRecommendation No.           Resolved    Unresolved   Open/ECD*   Closed\n         1                        X                      TBD\n         2                        X                      TBD\n         3                        X                     9/11/08\n         4                        X                     9/12/08\n         5                        X                      TBD\n\n*Estimated Completion Date\n\n\n\n\n                                        13\n\x0c                       Appendix C. Report Distribution\n\nPublic Printer\nChief of Staff\nGeneral Counsel\nChief Management Officer\nChief Technology Officer\nChief Acquisition Officer\n\n\n\n\n                                     14\n\x0c'